On a Conjectured Ideal Autocorrelation Sequence and a Related Triple-Error Correcting Cyclic Code

Transcription

1 680 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 46, NO. 2, MARCH 2000 [13] B. R. McDonald, Finite Rings with Identity. New York: Marcel Dekker, [14] F. J. MacWilliams and N. J. A. Sloane, The Theory of Error-Correcting Codes. Amsterdam, The Netherlands: North Holland, [15] I. Niven, H. S. Zuckerman, and H. Montgomery, An Introduction to the Theory of Numbers, 5th ed. New York: Wiley, [16] J. P. Pedersen and C. Dahl, Classification of pseudo-cyclic MDS codes, IEEE Trans. Inform. Theory, vol. 37, pp , Mar [17] N. J. A. Sloane and J. G. Thompson, Cyclic self-dual codes, IEEE Trans. Inform. Theory, vol. IT-29, pp , May [18] M. van Eupen and J. H. van Lint, On the minimum distance of ternary cyclic codes, IEEE Trans. Inform. Theory, vol. 39, pp , Mar [19] L. R. Vermani, Elements of Algebraic Coding Theory. London, U.K.: Chapman & Hall, On a Conjectured Ideal Autocorrelation Sequence and a Related Triple-Error Correcting Cyclic Code Anchung Chang, Memeber, IEEE, Peter Gaal, Solomon W. Golomb, Fellow, IEEE, Guang Gong, Tor Helleseth, Fellow, IEEE, and P. Vijay Kumar, Member, IEEE Abstract In a recent paper, No, Golomb, Gong, Lee, and Gaal conjectured that certain binary sequences having a simple trace description possess the ideal autocorrelation property. In the present correspondence it is shown that each such sequence is balanced and, moreover, that the dual of the linear cyclic code generated by the sequence and its cyclic shifts, is a triple-error correcting code having the same weight distribution as the triple-error correcting Bose Chaudhuri Hocquenghem (BCH) code. This cyclic code also contains a cyclic subcode that yields a new family of sequences having the same size and correlation parameters as does the family of Gold sequences. Index Terms Autocorrelation, BCH code, cyclic codes, cyclic Hadamard difference sets, Gold codes, ideal autocorrelation, triple-error correcting code. I. INTRODUCTION For any integer k 1 let F 2 k denote the finite field of 2 k elements. Let m 2 be an integer and n =2m +1. Let T : F 2 n! F 2 denote the trace function given by n01 T (x) = x 2 ; x 2 F 2 n: i=0 Manuscript received August 7, 1998; revised October 20, This work was supported in part by the National Science Foundation under Grant NCR and in part by the Norwegian Research Council. A. Chang is with Hughes Space and Communications, Los Angeles, CA USA. P. Gaal is with Qualcomm Inc., San Diego, CA USA. S. W. Golomb and P. V. Kumar are with the University of Southern California, Los Angeles, CA USA. G. Gong is with the Center for Applied Cryptographic Research, Department of Combinatorics and Optimization, University of Waterloo, Waterloo, Ont. N2L 3G1, Canada. T. Helleseth is with the Department of Informatics, University of Bergen, N-5020 Bergen, Norway. Communicated by T. Kløve, Associate Editor for Coding Theory. Publisher Item Identifier S (00) Set to be a primitive element of F 2 n and set r =2 m Based upon extensive numerical evidence, it has been conjectured by No, Golomb, Gong, Lee, and Gaal [18] that the sequence s(t) =T t + rt + r t has the ideal autocorrelation function, i.e., 2 02 (01) s(t+)+s(t) = 2n 0 1; if =0 01; otherwise. t=0 Let F denote the family of 2 n +1sequences F = T rt + r t + t+i 0 i 2 n 0 2 T rt + r t T t : Other numerical results (for n odd, 5 n 19) suggest that the family of sequences F has a correlation distribution identical to that of the well-known family of binary Gold sequences. This conjecture appears in [9] and has recently been proven in [6]. A Gold sequence family has a similar description as do the sequences in family F. The only change required is that the terms rt + r t in the above, are replaced by dt for a suitable integer d. A formal definition of Gold sequences and the correlation spectrum of a Gold sequence family may be found in [19, pp ]. For additional descriptions, see [11] and [12], as well as the original paper by Gold [8]. A different family of sequences also having the same correlation distribution as the Gold sequence family is presented in [1]. The first result of the correspondence will show that fs(t)g has the balance property, i.e., 2 02 (01) s(t) 0 1; t=0 which is a necessary condition for the sequence to have the ideal autocorrelation property. This will be shown by proving that the function f (x) =x + x r + x r is a permutation polynomial, i.e., by showing that the function f is a one-one map from F 2 n onto F 2 n. Note that s(t) =T (f( t )). Let C denote the [2 n 0 1; 3n] binary cyclic code given by C = T a t + b rt + c r t a; b; c 2 F 2 n : The second and main result of the correspondence will establish that for n odd, n 5, the dual C? of the code C is a triple-error correcting cyclic code having the same weight distribution as the triple-error correcting primitive Bose Chaudhuri Hocquenghem (BCH) code of the same length. To the authors knowledge, this result has not previously appeared in the literature. The weight distribution of the dual of the triple-error correcting BCH is given in [15, p. 669]. The weight distribution of the code itself may be found using MacWilliams identities. Proof of the main result proceeds as follows. It is first shown that the minimum Hamming distance d of C? is 7. Next, a theorem of McEliece is used to show that the Hamming weight of each codeword in C is divisible by 2 m. McEliece s theorem [15], [17] connects the divisibility of codeword weights by powers of 2 to the smallest number of nonzeros of C whose product is 1. Application of McEliece s theorem in the present instance led the authors to an interesting and nontrivial tiling problem. Thereafter, the proof follows Lemma 3 of a recent paper by Canteaut, Charpin, and Dobbertin [2] who build on an earlier technique of Kasami [13]. Section II proves balance of the sequence fs(t)g and also that C? has minimum distance 7. Section III contains the divisibility result. Section IV concludes the proof using the approach of Kasami and of Canteaut, Charpin, and Dobbertin /00$ IEEE

2 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 46, NO. 2, MARCH Note: Since the initial submission of this manuscript, Dillon and Dobbertin [6] have proven that the conjectured sequences indeed have ideal autocorrelation function. II. BALANCE AND A BOUND ON DUAL DISTANCE Theorem 1: The function f (x) =x + x r + x r : F 2! F 2 is a permutation polynomial. Proof: Since (r; 2 n 0 1) = 1, r is invertible (mod 2 n 0 1). In fact, if we set q =2 m+1, r 01 = q 0 1 is easily checked. Let g(x) be the function defined by g(x) =f x 0(q01) : Then it can be verified by straightforward substitution that g(g(x)) = x i.e., g is an involution. It follows that f like g, is a permutation polynomial. Our next result will make use of a bound on the minimum distance of cyclic codes due to Hartmann and Tzeng [15]. A version of the theorem that applies in the present situation is stated below. Theorem 2 Hartmann Tzeng: Let g(x) 2 F 2[x] be the generator polynomial of a cyclic code 0 of length 2 n 0 1 and let be a primitive element of F 2.Ifg( l+ic +jc )=0for i =0; 1; 2; 111;d and j = 0; 1; 2; 111;s, where l is an arbitrary integer and (2 n 0 1; c 1 )=(2 n 0 1; c 2 )=1, then the minimum distance d of 0 satisfies d d 0 + s. Setting s = 0;c 1 = 1in the Hartmann Tzeng (HT) bound, one obtains the BCH bound. Theorem 3: The minimal distance d of C? is at least 7. Proof: We use the fact that d is also equal to the minimum weight of a nonzero codeword in C?. Let a =[a 0 ;a 1 ; 111;a 2 02] be a codeword in C? and let be, as before, a primitive element of F 2. The Fourier transform A of a is defined by 2 02 A = t=0 at t ; =0; 1; 111; 2 n 0 2: Considering fag as a periodic sequence of period 2 n 0 1, itis well known (see, for example, [20] or as pointed out by a referee, [16, Theorem II.5]) that the Hamming weight of a equals the linear complexity [12] (also called linear span) of the sequence fag. It therefore is enough to show that A 0 A A 2 02 A 1 A A A 2 02 A A 2 03 Let us define two elements a; b 2 Z 2 7: 01 to be equivalent if a =2 i b (mod 2 n 0 1); for some i 0: This partitions Z 2 01 into equivalence classes which are called [15] 2-cyclotomic cosets modulo 2 n 0 1. Let Cl; l 2 Z 2 01 denote the 2-cyclotomic coset containing l. Then the following can be verified: r C 1 2r Cr+3 fr; r +1; 2r; 2r +2gCr f2r +1; 3r +1gC r : We know that the codewords a in C? satisfy A =0; 2 C 1 [ Cr [ C r : 3r Cr+2 In what follows, we will employ the following notation: we will write Ai to represent a Fourier transform coefficient of a codeword in C? that is known to equal 0;a + will denote elements that are known or assumed to be nonzero; and a? will represent transform coefficients whose values are either unknown or irrelevant. It will be found convenient to argue separately the cases of odd and even weight codewords. Within these two classes, we will investigate subclasses obtained by assuming elements belonging to certain chosen cyclotomic cosets to either be zero or nonzero. Often codewords within such subclasses can be analyzed for their minimum Hamming weight using either the BCH or HT bounds. Case i): Odd weight codewords (i.e., A 0 =1). a) Ar+2 6= 0and A 3r+2 6=0. The of the matrix is at least as large as the of the following submatrix: Ar01 Ar Ar+1 + A 2r A2r+1 Ar Ar+1 +? A 2r+1 A 2r+2 Ar+1 +?? A 2r+2? +???? + A 2r A2r+1 A 2r+2? A 3r+1 + A 2r+1 A 2r+2? + +? =6: b) Ar+2 6= 0, A 3r+2 =0, and A 3r+3 =0. We apply the HT bound with the following parameters: l+ic 1+jc 2, l = r01, c 1 =1, c 2 = r+1, i =0; 1; 2, and j =0; 1; 2. (It is easily checked that (2 n 01; c 1 )=(2 n 01; c 2 )=1). The HT bound then gives d 6. c) Ar+2 6= 0, A 3r+2 =0, and A 3r+3 6= 0. The of the matrix is at least as large as the of the following submatrix: + A 1 A 2? Ar+1 + A 1 A 2? A 4 +? Ar01 Ar Ar+1 + A 2r A 2r+1 Ar Ar+1 +? A 2r+1 A 2r+2 Ar+1 +?? A 2r+2? A 2r+1 A 2r+2? + A 3r+2 + =6: d) Ar+2 =0and Ar+3 =0. Applying the BCH bound using consecutive zeros Ar01; Ar; 111;Ar+3 we get d 6. e) Ar+2 =0, Ar+3 6= 0, and A 3r+2 =0. We apply the HT bound with parameters l + ic 1 + jc 2, l =1, c 1 = 1, c 2 = r, i = 0; 1, and j = 0; 1; 2; 3. (Again, both c 1 =1and c 2 = r are relative prime to 2 n 0 1.) The HT bound then gives d 6. f) Ar+2 =0, Ar+3 6= 0, A 3r+2 6= 0, and A 2r+3 =0. We apply the HT bound with the following parameters: l + ic 1 + jc 2, l = r 0 1, c 1 =1, c 2 = r +1, i =0; 1; 2; 3, and j =0; 1. (Both c 1 =1and c 2 = r +1are relative prime to 2 n 0 1.) The HT bound gives d 6. g) Ar+2 =0, Ar+3 6= 0, A 3r+2 6= 0, and A 2r+3= 6= 0. The of the matrix is at least as large as the of the following submatrix: Ar01 Ar Ar+1 Ar+2 + A 2r Ar Ar+1 Ar+2 +? A 2r+1 Ar+1 Ar+2 +?? A 2r+2 Ar+2 +??? + +???? A 2r+4 A 2r+1 A 2r+2 + A 2r+4? + =6: In each of the above cases, we found that d 6. Since by assumption the codeword weights are odd, the bound can be improved to d 7 as desired. Case ii): Even-weight codewords (i.e., A 0 =0). a) Ar+2 6= 0, A 3r+2 6= 0, and A 2r01 6= 0.

3 682 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 46, NO. 2, MARCH 2000 The of the matrix is at least as large as the of the submatrix shown in (1) at the bottom of this page. b) Ar+2 6= 0, A 3r+2 6=0, and A 2r01 =0. The of the matrix is at least as large as the of the submatrix shown in (2) at the bottom of this page. c) Ar+2 6= 0and A 3r+2 =0. The of the matrix is at least as large as the of the submatrix shown in (3) at the bottom of this page. d) Ar+2 =0and Ar+3 =0. We apply the HT bound with the following parameters l + ic 1 + jc 2, l = r 0 1, c 1 =1, c 2 = r 0 1, i =0; 1; 2; 3; 4, and j =0; 1. (Both c 1 =1and c 2 = r 0 1 are relative prime to 2 n 0 1.) The HT bound gives d 7. e) Ar+2 =0and Ar+3 6= 0. The of the matrix is at least as large as the of the submatrix shown in (4) at the bottom of the following page. Thus in all cases, we obtain d 7. III. DIVISIBILITY OF WEIGHTS We begin by stating a key theorem, due to McEliece [17]. Theorem 4 McEliece: Let 0 be a binary cyclic code, and let l be the smallest number such that l nonzeros of the code 0 (with repetitions allowed) have product 1. Then the weight of every codeword in 0 is divisible by 2 l and there is at least one codeword in C whose weight is not divisible by 2 l+1. Theorem 5: The Hamming weight of each codeword in C is divisible by 2 m. There is at least one codeword in C whose weight is not divisible by 2 m+1. Fig. 1. The fundamental tiles s ; d ; and t. Proof: The nonzeros of the cyclic code C under study here are 01, 0r, 0r. Clearly, replacing the nonzeros of a code by their reciprocals does not alter the divisibility of the code as given by McEliece s theorem. Let A = C 1 [ Cr [ C r. Thus to apply McEliece s theorem to C, we need to find the smallest number of elements drawn from A that when added together, yield a multiple of 2 n 0 1. In the sequel we will at times regard an integer a 2Aas an n-tuple corresponding to the base-2 representation of a. Contrary to conventional notation, we will assume that the leftmost bit of this n-tuple is the least significant bit. It then makes sense to speak of the Hamming weight of an element a of A. Note that in the above viewpoint, all the elements in C 1 have weight one, those in Cr have weight two, and that each element in C r has weight three. Note also that the n-tuple representations of the different elements within a fixed cyclotomic coset Cl are all cyclic shifts of each other. For obvious reasons, we will refer to elements in C 1, Cr, and C r as singles, doubles, and triples, respectively. Furthermore, we will use si; dj ;tk, 0 i; j; k n 0 1 to denote the modulo 2 n 0 1 reductions of the integers 2 i, 2 m+j r, 2 m01+k r 2, respectively. The translation factors 2 m ; 2 m01 in the definition of d 0 ;t 0 are for convenience in pictorial depiction. The integers s 0;d 0;t 0 are provided in picture form in Fig. 1. Thus each picture only identifies the location of 1 s in the corresponding n-tuple. A 0 Ar01 Ar Ar+1 + A 2r A 2r+1 A 1 Ar Ar A 2r+1 A 2r+2 A 2 Ar+1 + +? A 2r+2? Ar01 A 2r02 + A 2r A 2r+1 +? Ar + A 2r A 2r+1 A 2r+2? A 3r+1 Ar+1 A 2r A2r+1 A 2r+2? A 3r A 2r+1 A 2r+2? + +? =7 (1) A 0 Ar01 Ar Ar+1 + A 2r A 2r+1 A 1 Ar Ar+1 + Ar+3 A 2r+1 A 2r+2 A 2 Ar+1 + Ar+3? A 2r+2?? + Ar+3??? + Ar01 A 2r02 A 2r01 A 2r A 2r+1 +? Ar+1 A 2r A2r+1 A 2r+2? A 3r A 2r+1 A 2r+2? + +? =7 (2) A 0 A 1 Ar01 Ar Ar+1 + A 2r A 1 A 2 Ar Ar+1 +? A 2r+1 A 2? Ar+1 +?? A 2r+2? A 4 +???? Ar01 Ar A 2r02? A 2r A 2r+1 + Ar+1 + A 2r A 2r+1 A 2r+2? A 3r+1 +? A 2r+1 A 2r+2? + A 3r+2 =7 (3)

4 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 46, NO. 2, MARCH Fig. 2. Tiling with doubles and a single. Only the doubles are shown. Let B be a collection of elements, drawn from A of minimum possible size whose elements sum to an integer multiple of 2 n 0 1. Note that the collection B cannot really contain repetitions since if B contains the element a 2Atwice, we can get a smaller set whose elements also add to a multiple of 2 n 0 1 simply by replacing the two a s by the element 2a(mod 2 n 0 1) that is also contained in A. Thus we may redefine B to be a subset of A of minimal size whose elements sum to a multiple of 2 n 0 1. Lemma 6: jbj m +1. Proof: Consider the set B 0 containing the single s 0 and the m doubles d i;i = 1; 2; 111;m. The doubles are shown in Fig. 2. Clearly, B 0 is a subset of A of size m +1and the elements of B 0 add to 2 n 0 1. The lemma follows. Let us next assume that B is of size 1 m. Our aim is to arrive at a contradiction, thereby proving that the minimal set B is of size m +1, i.e., the set displayed in Lemma 6 is a minimal set. Step 1: It will be shown as a first step, that without loss of generality, the elements of B can be assumed to sum to 2 n 01 exactly (as opposed to a multiple of 2 n 0 1). Let b 1 ;b 2 ; 111;b be the elements of B and let us visualize the elements b i as being stacked on top of each other in some order, to i=1 form a 2 n matrix B of 0 s and 1 s. Let = bi. Since = 0 (mod 2 n 0 1), we can define the integer by =(2 n 0 1). We will now describe a process of binary addition with carry, which will cause the rows of B to sum to the integer 2 n 0 1 represented by the all-1 tuple. We will term this as wrap-around addition. Each column of B is associated with a carrybox that is initially empty. During the addition process, the carrybox may be filled with one or more 1 s. Wrap-around addition of the rows of B begins with addition of the elements in the leftmost column. If the leftmost column has two or more 1 s, then each pair of 1 s in column 0 is replaced by a single 1 placed in the carrybox associated with column 1. If there is a single 1 remaining in column 0 after all pairs have been so replaced, then we place a 1 in the column zero position of the sum vector wa which we will call the wrap-around sum vector. After addition in column 0 has been completed, we move to column 1 and repeat this process. While adding entries in column 1 of B, we treat the 1 s belonging to the carrybox of column 1 in the same way as the 1 s in other locations of column 1. We will refer to the process of replacing a pair of 1 s in a certain column by a 1 in the carrybox of the succeeding column as the process of clearing a carry. Since =[2 n ( 0 1)] + [ 0 1]2 n, it follows that after carries have been cleared in columns 0 through n 0 2, there will be 2( 0 1) carries that are cleared in column n 0 1. At this stage, we depart from the normal process of binary addition and place the ( 0 1) 1 s arising from clearing carries in column n 0 1 in the carrybox associated to column 0. We then repeat the addition process moving from column 0 through to column n 0 1 again. After reaching column n 0 1, the process is terminated. This modification of the process of binary addition will have the effect of replacing the normal sum by the wrap-around sum = ((2 n 0 1) 0 ( 0 1)) + 2 n ( 0 1) wa =(2 n 0 1) 0 ( 0 1) + ( 0 1) = 2 n 0 1: Note that wa has weight n. Let w B denote the Hamming weight of the binary (2n) matrix B. Clearly, w B 3 3m. Since clearing a carry under wrap-around addition results in the replacement of two 1 s by a single 1, and since the sum vector wa has Hamming weight n =2m +1, it follows that there can be at most 3 0 (2m +1) 3m 0 (2m +1)=m 0 1 carries that are cleared in all. Since n = 2m +1 > m 0 1, there is at least one column, say column 0 j 0 n 0 1, in which a carry did not need to be cleared, at any stage during the wrap-around addition process. If j 0 = n 0 1 then this implies =2 n 0 1 since it follows that 2 n 0 1 and we already know that is a multiple of 2 n 0 1. Thus we may assume that j 0 n 0 2. Since no carries are cleared in column j 0, this means that the carrybox associated with column j 0 +1is empty. Next, let B 0 be the set derived from B by replacing each element b 2Bby b:2 0(j +1) (mod 2 n 01). Let the 2n matrix B 0 correspond to B 0 as B does to B. One can view B 0 as being derived from B by cyclically shifting the columns of B to the left by j 0 +1columns. Thus column j 0 +1of B is column 0 of B 0, etc. (see Table I). Let 0 denote the sum of the rows of B 0, i.e., 0 = i=1 b 0 i: A 0 A 1 A r01 A r A r+1 A r+2 + A 1 A 2 A r A r+1 A r+2 +? A 2? A r+1 A r+2 +?? A r01 A r A 2r02 + A 2r A 2r+1 A 2r+2 A r A r+1 + A 2r A 2r+1 A 2r+2? +? A 2r+2? A 2r+4?? A 2r02 +?? A 3r01? A 3r+1 =7 (4)

5 684 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 46, NO. 2, MARCH 2000 TABLE I RELATING THE COLUMNS OF THE MATRICES B AND B Clearly, 0 = (mod 2 n 0 1) = 0 (mod 2 n 0 1): We claim that 0 =2 n 0 1. To see this, we add the rows of B 0 using normal binary addition (not wrap-around addition). However, we carry out this addition in a somewhat unconventional way, in three stages as described below. To begin with, ignoring the carries cleared in columns 0 through n010(j 0 +1)of matrix B 0, let us begin addition of the rows of B 0 by adding the entries in columns n 0 (j 0 +1)and clearing carries in the usual way. Normally, there would be additional 1 s in the carrybox of column n 0 (j 0 +1)of B 0 arising from carries cleared in the previous column (n01)0(j 0 +1), but here we are for the time being ignoring these. We then proceed to the right, clearing carries as we go along, in the usual way. Let denote the binary vector that is the result of this addition. Let the leftmost n0(j 0 +1)bits of be set to zero. The next j 0 +1 entries are the result of adding the entries in columns n0(j 0 +1) through column n 0 1 of B 0 as described above. Clearly, addition of columns n 0 (j 0 +1)through column n 0 1 of B 0 is identical to addition of columns 0 through j 0 of the matrix B (see Table I) and we know that there are no carries to be cleared in column j 0 of B. Since column j 0 of B corresponds to column n 0 1 of the matrix B 0, it follows that there are no carries cleared in column n 0 1 of B 0 if we ignore, as we have done, the 1 s placed in the carrybox of column n 0 (j 0 +1)of B 0. We claim that even if the carries placed in the carrybox of column n 0 (j 0 +1)of B 0 are taken into account, there will still be no carries cleared in column n 0 1 of B 0, i.e., 0 =2 n 0 1 and thus we are done if this claim is proven. To prove the claim, let us now add the entries in column 0 of B 0 in the usual way and proceed, clearing carries until we reach column (n01)0(j 0 +1). Let the results of addition of these columns be used to replace the first n 0 (j 0 +1)bits of which previously were set to 0. Next, column (n01)0(j 0 +1)of B 0 corresponds to column n01 of B and we know that there are 2( 0 1) carries that are cleared there. Since no carries were cleared in column j 0 of B it follows that there are 2(0 1) carries cleared in column (n01)0(j 0 +1)of B 0 as well. However, clearing the carries in column (n 0 1) 0 (j 0 +1)of B 0 will not affect the fact that no carries are cleared in column n01 of B 0 since column n01 of B 0 corresponds to column j 0 of B and in column j 0 of B, there was no clearing of carries during the entire wrap-around addition procedure. This proves that = 0 2 n 0 1 which forces = 0 =2 n 0 1. To summarize, we have shown to this point that if a minimal set B of size 1 m exists, we may assume the elements of this minimal set to sum to 2 n 0 1 exactly. Step 2: Our next goal is to show that any minimal set B whose associated matrix B has some column of Hamming weight greater than 1 can be replaced by a second minimal set B of the same or lesser size whose associated matrix B has columns of weight exactly 1. We first consider the result of adding a pair of elements drawn from A that overlap. By overlap we mean that if the base-2 representations of the two numbers form the rows of a 2 2 n array, then some column of this matrix has weight 2. Figs. 3 and 4 show all possible pairs of elements drawn from A except that if a; b 2Aare shown in the figure, then the pair 2 i a (mod 2 n 0 1); 2 i b (mod 2 n 0 1) is not displayed. A horizontal line divides the original from its replacement. In the pairs shown in the figure, with two exceptions, the sum of the pair is either a third element in A or else the sum of a nonoverlapping pair contained in A. We shall refer to these as replacements. Also, as can be seen from the figure, in every case in which such a replacement is possible, the replacements have the same integer sum but a smaller Hamming weight. Returning to the minimal set B and its associated matrix B, we know that we can assume that the elements of B add to exactly 2 n 0 1. Consider the leftmost column of B in which there is more than one 1. There must be an odd number 3 of 1 s in that column since the rows of B sum to 2 n 0 1 which in binary representation, is a string of n consecutive 1 s. As a result, at least one pair of elements in B corresponding to rows in B containing a 1 in that column can be replaced either by an element drawn from A or else by a pair of elements drawn from A which do not overlap such that the sum of the elements in the set B after such replacement is still 2 n 0 1. Clearly, this process can be repeated until one arrives at a collection B whose associated matrix B has all columns of Hamming weight 1. The process is guaranteed not to continue indefinitely since the Hamming weight decreases whenever there is a replacement. Step 3: Finally, to finish the proof it is enough to show that it is impossible to have a nonoverlapping set B, i.e., a set whose associated matrix B has all columns of weight one, of size m. Consider a nonoverlapping set B of size m. Let n s ;n d ;n t denote the number of singles, doubles, and triples in B, respectively. Then we have n s +2n d +3n t =2m +1: There must be at least one triple for otherwise, from the above, with n t =0we would get leading to n s +2n d =2m +1 n s + n d m +1: Consider a triple t i 2 B. Since B is a nonoverlapping set, in the matrix B associated with B, there must be precisely one 1 in column i 01 (mod n). After studying the various possibilities one realizes that the only way in which this is possible, while avoiding overlaps is if s i01 2B. Thus there must be at least as many singles as triples, i.e., n s n t : When combined with n s +2n d +3n t =(2m +1), this gives i.e., 2n d +4n t 2m +1 n d +2n t m +1which implies n s + n d + n t m +1

6 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 46, NO. 2, MARCH Fig. 3. Six pairs of tiles and their replacements. and we have the desired contradiction. This completes proof of the theorem. IV. WEIGHT DISTRIBUTION OF THE CYCLIC CODE Set q =2 n and consider the linear code C? BCH = Tr ax + bx 3 + cx 5 x 2 F q a; b; c 2 F q : This code is the extended dual code of the triple-error-correcting BCH code having zeros f1; 3; 5g. Let A version of the Pless power-moment identities gives us M 0 2s = q 6 F (0; 2s) 0 q 3+2s ; for s =1; 2; 3 where F (0; 2s) are in Table II (see, for example, [14]). Since n is odd, it is known [15] that for 6= Thus we can also write 0 ; 2 0; 6 2q; 6 8q : and 0 ; = M 0 2s = x2f q 6= Tr((a +a )x+(b +b )x +(c +c )x ) (01) ( 0 ; ) 2s ; where s =1; 2; 3; 111: M 0 2s = 1(2q) s + 2(8q) s ; for some rational numbers 1 and 2: The sequence fm 0 2sg 1 s=1 thus satisfies the recursion with characteristic polynomial (z 0 2q)(z 0 8q) =z qz +16q 2

7 686 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 46, NO. 2, MARCH 2000 Fig. 4. Replacements for six more pairs of tiles. TABLE II COEFFICIENTS IN THE PLESS POWER-MOMENT IDENTITIES identities that the second, fourth, and sixth moments of C? and C? BCH are the same. We now prove Theorem 7: C? and C? BCH have the same 5-level (nonzero) weight distribution. Proof: Let ; = x2f n Tr ((a +a )x+(b +b )x +(c +c )x ) (01) and i.e., M 0 2(s+2) 0 10qM 0 2(s+1) +16q 2 M 0 2s =0; for s =1; 2; 3; 111: The minimum distance of the cyclic code C defined in the first section is at least 7 from Theorem 3. It follows from the Pless power-moment (5) M 2s = 6= (; ) 2s ; where s =1; 2; 3; 111: Since the minimum distance of C and C BCH is at least 7, M 2s = M 0 2s for s =1; 2; 3. From Theorem 5, the Hamming weight of each codeword in C? is divisible by 2 m. We now proceed along the lines of the proof of Lemma 3 of Canteaut, Charpin, and Dobbertin [2]. We can assume

8 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 46, NO. 2, MARCH ; = V i2 m+1 where V i is some integer and let f i be the number of ; = V i 2 m+1. Thus, From (5) M 2s = l i=1 f i V 2s i 2 2s(m+1) : (6) M qM q 2 M 0 2 = M qM 4 +16q 2 M 2 =8q 3 l =0: i=1 f i V 2 i (V 2 i 0 4)(V 2 i 0 1) Therefore, the only possible value of V i are 0; 61, and 62. Thus as in the case of C? BCH, for 6=, ; 2 0; 6 2q; 6 8q : Since the first three even moments M 2s; M 0 2s for s =1; 2; 3 are the same, it follows that the two codes have the same weight distribution. REFERENCES [1] S. Boztaş and P. V. Kumar, Binary sequences with Gold-like correlation but larger linear span, IEEE Trans. Inform. Theory, vol. 40, pp , Mar [2] A. Canteaut, P. Charpin, and H. Dobbertin, Binary m-sequences with three-valued crosscorrelation: A proof of Welch s conjecture, IEEE Trans. Inform. Theory, vol. 46, pp. 4 8, Jan [3] A. Chang, Minimum distance and decoding algorithm for cyclic codes, Ph.D. dissertation, Univ. So. Calif., Los Angeles, CA, [4] A. Chang, P. Gaal, S. W. Golomb, G. Gong, and P. V. Kumar, On a sequence conjectured to have ideal 2-level autocorrelation function, in IEEE Int. Symp. Information Theory, Cambridge, MA, Aug , 1998, p [5] A. Chang, T. Helleseth, and P. V. Kumar, Further results on a conjectured 2-level autocorrelation sequence, in 36th Ann. Allerton Conf. Communication, Control and Computing, Allerton, IL, Sept , [6] J. Dillon and H. Dobbertin, Cyclic difference sets with Singer parameters, to be published. [7] H. Dobbertin, Kasami power functions, permutation polynomials and cyclic difference sets, in NATO-A.S.I. Workshop, Bad Windsheim, Germany, Aug. 3 14, [8] R. Gold, Maximal recursive sequences with 3-valued recursive cross-correlation functions, IEEE Trans. Inform. Theory, vol. IT-14, pp , Jan [9] G. Gong and S. W. Golomb, Hadamard transforms of three-term sequences, IEEE Trans. Inform. Theory, vol. 45, pp , Sept [10] C. R. P. Hartmann and K. K. Tzeng, Generalization of the BCH bound, Inform. Contr., vol. 20, pp , [11] T. Helleseth and P. V. Kumar, Pseudonoise sequences, in The Mobile Communications Handbook, J. Gibson, Ed. New York: CRC Press and IEEE Press, [12], Sequences with low correlation, in Handbook of Coding Theory, V. Pless and C. Huffman, Eds. Amsterdam, The Netherlands: Elsevier, [13] T. Kasami, Weight distributions of Bose Choudhary Hochquengham codes, in Combinatorial Mathematics and its Applications. Chapel Hill, NC: Univ. North Carolina Press, [14] P. V. Kumar and C.-M. Liu, On lower bounds to the maximum correlation of complex roots-of-unity sequences, IEEE Trans. Inform. Theory, vol. 36, pp , May [15] F. J. MacWilliams and N. J. A. Sloane, The Theory of Error-Correcting Codes. Amsterdam, The Netherlands: North Holland, [16] B. R. McDonald, Finite Rings with Identity. New York: Marcel Dekker, [17] R. J. McEliece, On periodic sequences from GF (q), J. Combin. Theory, vol. 10, no. 1, pp , Jan [18] J.-S. No, S. W. Golomb, G. Gong, H.-K. Lee, and P. Gaal, Binary pseudorandom sequences of period 2 01 with ideal autocorrelation, IEEE Trans. Inform. Theory, vol. 44, pp , Mar [19] D. V. Sarwate and M. B. Pursley, Crosscorrelation properties of pseudorandom and related sequences, Proc. IEEE, vol. 68, pp , [20] T. Schaub, A linear complexity approach to cyclic codes, Ph.D. dissertation, Swiss Federal Ins. Technol., Zurich, Switzerland, Fourier Transforms and the -Adic Span of Periodic Binary Sequences Mark Goresky, Associate Member, IEEE, Andrew M. Klapper, Member, IEEE, and Lawrence Washington Abstract An arithmetic or with-carry analog of Blahut's theorem is presented. This relates the length of the smallest feedback with-carry shift register to the number of nonzero classical Fourier coefficients of a periodic binary sequence. Index Terms Blahut's theorem, feedback register, Fourier coefficients, periodic binary sequence, 2-adic numbers. I. INTRODUCTION The purpose of this correspondence is to develop an arithmetic analog of Blahut's theorem [1], [3], which relates the linear span of a sequence to its discrete Fourier transform. For comparison, let us recall this theorem. Let S = a0;a1; 111be a periodic binary sequence with period L. The linear span of S, denoted (S), is the length of the shortest linear recurrence satisfied by S or, equivalently, the size of the smallest linear feedback shift register that generates S. It is an important measure of the complexity of a sequence, and it is used in a number of engineering applications. For example, suppose that S is to be used as the key in a stream cipher. The Berlekamp Massey algorithm can be used by a cryptanalyst to recover the sequence once 2(S) bits of S are known. Thus S is secure only if (S) is large. Let be a primitive Lth root of unity in some field extension F of GF (2). (Such a exists if and only if L is odd. Various work has been done to extend Blahut's theorem to the case when L is even, [4].) The kth discrete Fourier coefficient of S is a k = L01 i=0 a i ki 2 F: Blahut's remarkable theorem says that the linear span of S is equal to the number of nonzero discrete Fourier coefficients of S. It makes Manuscript received October 19, 1997; revised October 25, The work of A. Klapper was supported in part by NSF under Grant NCR The work of L. Washington was supported in part by NSA under Grant MDA M. Goresky is with the School of Mathematics, Institute for Advanced Study, Princeton, NJ USA ( goresky@ias.edu). A. M. Klapper is with the Department of Computer Science, 763H Anderson Hall, University of Kentucky, Lexington, KY USA ( klapper@cs.engr.uky.edu). L. Washington is with the Department of Mathematics, University of Maryland, College Park, MD USA ( lcw@math.umd.edu). Communicated by D. Stinson, Associate Editor for Complexity and Cryptography. Publisher Item Identifier S (00) /00$ IEEE